WO2023141876A1

WO2023141876A1 - Data transmission method, apparatus and system, electronic device, and readable medium

Info

Publication number: WO2023141876A1
Application number: PCT/CN2022/074293
Authority: WO
Inventors: 马希通; 李涛; 赵凯; 夏友祥
Original assignee: 京东方科技集团股份有限公司
Priority date: 2022-01-27
Filing date: 2022-01-27
Publication date: 2023-08-03
Also published as: CN116830525A

Abstract

A data transmission method, apparatus and system, an electronic device, and a readable medium, relating to the technical field of computers. The data transmission method comprises: receiving original transmission data sent by a data transmission device; determining a security key corresponding to the original transmission data, and executing encryption and decryption processing on the original transmission data by means of the security key to obtain secure transmission data; and sending the secure transmission data to the data transmission device, wherein the original transmission data is used for transmission between the data transmission device and a cloud platform, and the security key is obtained from the cloud platform. The security of data transmission can be improved, and the problem of cracking in a data transmission process is avoided.

Description

Data transmission method, device, system, electronic device and readable medium

technical field

The disclosure belongs to the field of computer technology, and in particular relates to a data transmission method, device, system, electronic equipment and readable medium.

Background technique

In recent years, with the advent of the Internet of Everything era, more and more external devices need to be connected to the Internet of Things platform and interconnected with the help of cloud servers. In order to ensure trusted access of external devices, device authentication will be performed on external devices. Usually, when the device is authenticated, the authentication information used for authentication is provided by the external device, so that the cloud platform can perform the authentication operation according to the authentication information.

However, the inventor found in the process of implementing the present invention that the above-mentioned method has at least the following defects: on the one hand, identity verification information is easy to forge, so the authentication reliability is low; on the other hand, once the external device is attacked, the It will lead to the leakage of identity verification information, thus causing security risks.

It can be seen that in the Internet of Things scenario where external devices and cloud platforms communicate with each other, a more secure data transmission method is urgently needed.

Contents of the invention

The present disclosure aims to provide a data transmission method, device, system, electronic equipment and readable medium.

The first aspect of the present disclosure provides a data transmission method applied to a security enhancement module, which includes:

Receive the original transmission data sent by the data transmission device;

determining a security key corresponding to the original transmission data, and performing encryption and decryption processing on the original transmission data through the security key to obtain secure transmission data;

sending the secure transmission data to the data transmission device;

Wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform, and the security key is obtained from the cloud platform.

Wherein, before receiving the original transmission data sent by the data transmission device, it also includes:

Receive and store the platform certificate generated by the cloud platform in response to the device registration request;

In response to the authentication instruction sent by the data transmission device, add auxiliary verification data to the platform certificate to obtain a module certificate, and send the module certificate to the data transmission device for the data transmission device to use the The module certificate is provided to the cloud platform for device authentication;

Moreover, the receiving the original transmission data sent by the data transmission device specifically includes: receiving the original transmission data sent by the data transmission device when the device is authenticated.

Wherein, the device registration request is sent by the data transmission device, and the device registration request includes: the module information of the security enhancement module and the device information of the data transmission device; and the platform certificate includes : module information of the security enhancement module and device information of the data transmission device.

Wherein, the auxiliary verification data includes: time stamp data; and, the device information of the data transmission device includes: device service type and/or device authentication type;

Then the determining the security key corresponding to the data type of the original transmission data includes: receiving the security key returned by the cloud platform in response to the key negotiation request sent by the data transmission device; wherein, the The security key is generated according to the device service type and/or device authentication type.

Wherein, the receiving the security key returned by the cloud platform in response to the key negotiation request sent by the data transmission device includes:

receiving the first key obtained after the cloud platform encrypts the security key with the platform private key; and decrypting the first key with the pre-acquired platform public key to obtain the security key.

Wherein, when the device authentication type is the first authentication type, the security key corresponds to the device identification; when the device authentication type is the second authentication type, the security key corresponds to the device model; when the device When the authentication type is the third authentication type, the security key corresponds to the service type of the device.

Wherein, the platform certificate generated by the cloud platform is a platform certificate in the form of ciphertext; then, adding auxiliary verification data to the platform certificate to obtain the module certificate includes:

Decrypting the platform certificate in ciphertext form according to the platform certificate key provided by the cloud platform to obtain the platform certificate in plaintext form;

Adding auxiliary verification data to the platform certificate in plain text to obtain a module certificate in plain text;

The module certificate in plain text form is encrypted by the module certificate key to obtain the module certificate in cipher text form.

Wherein, the platform certificate in ciphertext form is obtained through symmetric encryption; the module certificate in ciphertext form is obtained through asymmetric encryption; and the key of the module certificate is obtained from the cloud platform.

Wherein, the determining the security key corresponding to the original transmission data, and performing encryption and decryption processing on the original transmission data through the security key includes:

Determine the data type of the original transmission data, and determine the security key and encryption and decryption methods according to the data type;

Encryption and decryption are performed on the original transmission data through the security key and the encryption and decryption methods.

Wherein, the data type includes at least one of the following: plaintext type, ciphertext type, sending type, receiving type, transmission data type, and security verification type;

Moreover, the security key includes at least one of the following: a symmetric key, a non-key key, a key obtained from a cloud platform, a locally generated key, an encryption key, a decryption key, a fixed keys, and variable keys;

The encryption and decryption methods include: symmetric encryption, symmetric decryption, asymmetric encryption, and asymmetric decryption.

Wherein, the security enhancement module is pluggably connected to the data transmission device through a preset interface, and the security enhancement module is connected to the data transmission device through a preset transmission protocol corresponding to the preset interface Communication; wherein, the preset interface includes a USB interface.

Wherein, data transmission is performed between the security enhancement module and the data transmission device through a preset application program interface; and the application program interface is provided by a software development kit corresponding to the security enhancement module.

The second aspect of the present disclosure provides a data transmission method applied to a data transmission device, which includes:

Send the original transmission data to the security enhancement module;

receiving the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data;

Wherein, before sending the original transmission data to the security enhancement module, it also includes:

Sending a device registration request to the cloud platform, so that the security enhancement module receives and stores the platform certificate generated by the cloud platform in response to the device registration request;

Sending an authentication instruction to the security enhancement module for the security enhancement module to add auxiliary verification data to the platform certificate to obtain a module certificate;

Send the received module certificate from the security enhancement module to the cloud platform for the cloud platform to perform device authentication;

Moreover, the sending the original transmission data to the security enhancement module specifically includes: sending the original transmission data to the security enhancement module when the device is authenticated.

Wherein, the device registration request includes: the module information of the security enhancement module and the device information of the data transmission device; and the platform certificate includes: the module information of the security enhancement module and the data transmission device device information;

Moreover, the auxiliary verification data includes: timestamp data; the device information of the data transmission device includes: device service type and/or device authentication type; then the security key corresponding to the original transmission data is determined by The cloud platform is generated according to the device service type and/or device authentication type;

Wherein, before receiving the security enhancement module according to the security key corresponding to the original transmission data, it also includes:

Send a key negotiation request to the cloud platform;

According to the result returned by the cloud platform, provide the security enhancement module with a security key from the cloud platform; wherein, the security key is generated according to the device service type and/or device authentication type.

Wherein, providing the security key from the cloud platform to the security enhancement module includes:

Send the first key obtained after the cloud platform encrypts the security key with the platform private key to the security enhancement module, so that the security enhancement module can encrypt the security key with the platform public key obtained in advance. The first key is decrypted to obtain the security key.

Wherein, if the original transmission data is data received by the data transmission device from the cloud platform, the sending the original transmission data to the security enhancement module includes: performing protocol conversion on the original transmission data received through the platform transmission protocol Processing, sending the original transmission data processed by the protocol conversion to the security enhancement module;

If the original transmission data is the local data of the data transmission device, after receiving the security enhancement module according to the security key corresponding to the original transmission data, after performing encryption and decryption processing to obtain the secure transmission data, further include : Perform protocol conversion processing on the secure transmission data received through the preset transmission protocol, and send the secure transmission data after the protocol conversion processing to the cloud platform.

The third aspect of the present disclosure provides a data transmission method applied to a cloud platform, which includes:

Send the generated security key to the security enhancement module;

Sending encrypted first transmission data to a data transmission device, so that the data transmission device provides the first transmission data to a security enhancement module, so that the security enhancement module performs decryption processing according to the security key; and / or,

receiving the second transmission data encrypted by the security enhancement module through the security key and sent by the data transmission device.

Wherein, the method also includes:

Generate a platform certificate according to the received device registration request, and provide the platform certificate to the security enhancement module;

receiving the module certificate sent by the security enhancement module through the data transmission device;

Analyzing the module certificate, and performing device authentication according to the parsing result.

Wherein, said generating the platform certificate according to the received device registration request includes:

Obtain the module information of the security enhancement module and the device information of the data transmission device contained in the device registration request, and generate the platform certificate according to the module information of the security enhancement module and the device information of the data transmission device .

Wherein, the generating the platform certificate according to the module information of the security enhancement module and the device information of the data transmission device includes:

Encrypting the module information of the security enhancement module and the device information of the data transmission device to obtain a platform certificate in ciphertext form;

The parsing of the module certificate, and performing device authentication according to the parsing result include:

Decrypt the received module certificate in ciphertext form to obtain the module certificate in plaintext form;

Matching the module certificate in plain text form with the pre-generated platform certificate; if the matching is successful, the device authentication is passed.

Wherein, the sending the generated security key to the security enhancement module includes:

Obtaining device information corresponding to the key agreement request in response to the key agreement request sent by the data transmission device;

Generate a security key according to the device information, and send the generated security key to the security enhancement module; wherein, the device information includes: device service type and/or device authentication type.

Wherein, sending the generated security key to the security enhancement module includes:

Encrypting the security key with a platform private key to obtain a first key;

sending the first key to the security enhancement module through the data transmission device, so that the security enhancement module can decrypt the first key through the pre-acquired platform public key to obtain the security key.

A fourth aspect of the present disclosure provides a data transmission device, which includes:

a receiving module configured to receive the original transmission data sent by the data transmission device;

The encryption and decryption module is configured to determine a security key corresponding to the original transmission data, and perform encryption and decryption processing on the original transmission data through the security key to obtain secure transmission data;

a sending module configured to send the secure transmission data to the data transmission device;

A fifth aspect of the present disclosure provides a data transmission device, which includes:

a sending module configured to send the original transmission data to the security enhancement module;

The receiving module is configured to receive the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data;

A sixth aspect of the present disclosure provides a cloud platform, which includes:

A key sending module configured to send the generated security key to the security enhancement module;

The first transmission module is configured to send the encrypted first transmission data to the data transmission device, so that the data transmission device provides the first transmission data to the security enhancement module, so that the security enhancement module according to the perform the decryption process using the above security key; and/or,

The second transmission module is configured to receive the second transmission data sent by the data transmission device and encrypted by the security enhancement module with the security key.

A seventh aspect of the present disclosure provides a data transmission system, which includes: the data transmission device of the fourth aspect, the data transmission device of the fifth aspect, and the cloud platform of the sixth aspect.

The eighth aspect of the present disclosure provides an electronic device, including:

one or more processors;

A memory, on which one or more programs are stored, and when the one or more programs are executed by the one or more processors, the one or more processors implement the method described in any one of the above;

One or more I/O interfaces are connected between the processor and the memory, configured to realize information exchange between the processor and the memory.

A ninth aspect of the present disclosure provides a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, the method described in any one of the above-mentioned methods is implemented.

Description of drawings

The accompanying drawings are used to provide a further understanding of the present disclosure, and constitute a part of the description, together with the following specific embodiments, are used to explain the present disclosure, but do not constitute a limitation to the present disclosure. In the attached picture:

FIG. 1 is a flowchart of a data transmission method applied to a security enhancement module provided by an embodiment of the present disclosure;

FIG. 2 is a flowchart of a data transmission method applied to a data transmission device provided by an embodiment of the present disclosure;

FIG. 3 is a flowchart of a data transmission method applied to a cloud platform provided by an embodiment of the present disclosure;

FIG. 4 is a flowchart of a data transmission method applied to a security enhancement module, a data transmission device, and a cloud platform provided by an embodiment of the present disclosure;

FIG. 5 is a structural diagram of a data transmission device provided by an embodiment of the present disclosure;

FIG. 6 is a structural diagram of a data transmission device provided by another embodiment of the present disclosure;

FIG. 7 is a structural diagram of a cloud platform provided by an embodiment of the present disclosure;

FIG. 8 is a structural diagram of a data transmission system according to an embodiment of the present disclosure;

FIG. 9 is a functional block diagram of an electronic device according to an embodiment of the present disclosure.

Detailed ways

In order to enable those skilled in the art to better understand the technical solutions of the present disclosure/utility model, the present disclosure/utility model will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

Unless otherwise defined, the technical terms or scientific terms used in the present disclosure shall have the usual meanings understood by those skilled in the art to which the present disclosure belongs. "First", "second" and similar words used in the present disclosure do not indicate any order, quantity or importance, but are only used to distinguish different components. Likewise, words like "a", "an" or "the" do not denote a limitation of quantity, but mean that there is at least one. "Comprising" or "comprising" and similar words mean that the elements or items appearing before the word include the elements or items listed after the word and their equivalents, without excluding other elements or items. Words such as "connected" or "connected" are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "Up", "Down", "Left", "Right" and so on are only used to indicate the relative positional relationship. When the absolute position of the described object changes, the relative positional relationship may also change accordingly.

In the first aspect, the embodiments of the present disclosure provide a data transmission method, which improves the reliability of data transmission through a security enhancement module, and avoids data leakage problems caused by attacks on external devices.

As shown in FIG. 1 , the data transmission method provided by the embodiment of the present disclosure may be applied to a security enhancement module. Wherein, the security enhancement module can be connected with the data transmission device through plugging, and the data transmission device and the cloud platform communicate with each other. The method includes:

Step S110: Receive the original transmission data sent by the data transmission device.

Wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform. The data transmission device can be various types of external devices. The original transmission data can be the data sent by the cloud platform to the data transmission device, or the data generated by the data transmission device and sent to the cloud platform. The present invention does not limit The data type and data source of the original transmitted data.

Step S120: Determine the security key corresponding to the original transmission data, and perform encryption and decryption processing on the original transmission data through the security key to obtain secure transmission data.

Wherein, the security key is obtained from the cloud platform. If the original transmission data is the data sent by the cloud platform to the data transmission device, it is usually in an encrypted state. Therefore, it is necessary to perform decryption processing through the security key to obtain the secure transmission data in the decrypted state. If the original transmission data is generated by the data transmission device and sent to the cloud platform, it is usually in an unencrypted state. Therefore, it is necessary to perform encryption processing with a security key to obtain secure transmission data in an encrypted state.

Step S130: Send the secure transmission data to the data transmission device.

Wherein, the security enhancement module sends the encrypted or decrypted secure transmission data to the data transmission device for subsequent processing by the data transmission device.

As shown in FIG. 2 , the data transmission method provided by the embodiment of the present disclosure may be applied to a data transmission device. The method includes:

Step S210: Send the original transmission data to the security enhancement module.

Step S220: Receive the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data.

As shown in FIG. 3 , the data transmission method provided by the embodiment of the present disclosure may be applied to a cloud platform. The method includes:

Step S310: Send the generated security key to the security enhancement module.

Wherein, the security key can be generated in various ways, for example, the security key can be obtained through a key negotiation operation between the cloud platform and the data transmission device. For another example, the security key may also be determined according to the device type of the data transmission device, so that the security key is sent to the security enhancement module through the data transmission device.

Step S320: Send the encrypted first transmission data to the data transmission device, so that the data transmission device provides the first transmission data to the security enhancement module, so that the security enhancement module performs decryption processing according to the security key.

Wherein, the cloud platform sends the encrypted first transmission data to the data transmission device, so that the data transmission device provides the first transmission data to the security enhancement module, and correspondingly, the security enhancement module performs decryption according to the security key provided by the cloud platform deal with.

Step S330: Receive the second transmission data sent by the data transmission device and encrypted by the security enhancement module with the security key.

Wherein, the cloud platform receives the encrypted second transmission data sent by the data transmission device, and the encrypted second transmission data is encrypted by the security enhancement module with the help of the security key provided by the cloud platform.

Wherein, step S320 and step S330 can be performed alternatively, or step S320 and step S330 can also be performed simultaneously or alternately, which is not limited in the present invention.

It can be seen that through the security enhancement module, encryption and decryption operations can be performed on the transmission data between the cloud platform and the data transmission device. Since the encryption and decryption processes are all implemented inside the security enhancement module, and the security key is obtained from the Therefore, it avoids potential safety hazards caused by untrustworthy data transmission equipment and improves data security.

As shown in FIG. 4 , the data transmission method provided by the embodiment of the present disclosure is used to implement data interaction among a cloud platform, a data transmission device, and a security enhancement module.

The data transmission device can be various types of external devices used to access cloud platforms such as the Internet of Things, including various types of devices such as conference devices and security devices. Due to the large number of external devices, various sources, and different types, it will undoubtedly take a lot of time and cost to conduct security checks on each external device one by one, and it is easy to cause safety hazards due to missed inspections and other problems. It can be seen that, in the application scenario of this embodiment, data transmission devices have characteristics such as wide sources and difficult security checks.

In order to realize the security verification of the data transmission device conveniently, quickly, safely and efficiently, in this embodiment, a security enhancement module is provided. The encryption and decryption process of sensitive data is realized through the security enhancement module, so as to ensure that the sensitive data is not leaked, and the communication security is improved in the scenario where the data transmission equipment is untrustworthy.

The security enhancement module can communicate with the data transmission device in various ways. For example, the security enhancement module can be connected with the data transmission device through a wired or wireless manner. In an optional implementation manner, in order to improve the flexibility of setting the security enhancement module, the security enhancement module is plugged with the data transmission device in a pluggable manner to realize mutual communication. For example, in an implementation manner, the security enhancement module may be connected to the data transmission device through a USB interface, or may also be connected through an internal data bus, such as PICE/LVDS/I2C/UART. As another example, in another implementation, the security enhancement module can be inserted into the data transmission device as a security chip (FPGA), thereby connecting to a SOC (System on Chip, System on Chip) through an internal data bus, thereby communicating with the data transmission device. In a word, the present disclosure does not limit the specific access form of the security enhancement module, as long as the purpose of communicating with the data transmission device flexibly and conveniently can be achieved.

It can be seen that the security enhancement module can replace the data transmission device to implement data encryption and decryption, data verification, etc., thereby improving security. In order to prevent untrustworthy devices from accessing the cloud platform, in this embodiment, device registration and device authentication operations are performed before data transmission, and data transmission is performed after the device authentication is passed, thereby effectively preventing suspicious devices from accessing the cloud platform. into the cloud platform.

As shown in Figure 4, the method includes the following steps:

Step S1: The data transmission device sends a device registration request to the cloud platform.

Among them, the device registration request is used to register the relevant information of the data transmission device on the cloud platform, and, during the device registration process, the cloud platform not only needs to record the device information of the data transmission device, but also needs to record the information associated with the data transmission device Module information for the security-enhanced module of the relationship. Correspondingly, in the subsequent device authentication process, the legitimacy of the data transmission device and the security enhancement module is verified to ensure the trusted access of the device.

In the first application scenario, the security enhancement module is assigned to the data transmission device in advance, and correspondingly, the device registration request sent by the data transmission device includes: module information of the security enhancement module and device information of the data transmission device. Wherein, the module information of the security enhancement module is used to uniquely identify a security enhancement module, for example, may be an ID of the security enhancement module. The device information of the data transmission device is used to describe the device characteristics of the data transmission device. For example, the device information includes: a device service type and/or a device authentication type. Wherein, the device service type is used to describe the service type of the data transmission device, such as conference type, security type, and the like. Moreover, the device service type may also be a gateway type, a lighting type, a camera type, and the like. The device authentication type is used to describe the authentication method of the device, which can be set by the security level of the device. In this way, the data transmission device sends a device registration request. Therefore, the corresponding relationship between the data transmission device and the security enhancement module can be flexibly adjusted, which facilitates the flexible pairing between the security enhancement module and the data transmission device, and has high flexibility.

In the second application scenario, the security enhancement module is not pre-assigned to the data transmission device. Correspondingly, after the cloud platform receives the device registration request, it allocates the corresponding security enhancement module to the data transmission device. At this time, the device registration request sent by the data transmission device includes: the device information of the data transmission device, but does not include the module information of the security enhancement module. In this method, the security enhancement module is directly allocated by the cloud platform. Therefore, the corresponding relationship between the security enhancement module and the data transmission device is preset by the cloud platform, and cannot be changed at will later, so the security is high.

In actual situations, at least one of the above two methods can be flexibly selected according to the characteristics of specific business scenarios.

Step S2: The cloud platform generates a platform certificate according to the received device registration request.

Wherein, the cloud platform obtains the module information of the security enhancement module and the device information of the data transmission device contained in the device registration request, and generates a platform certificate according to the module information of the security enhancement module and the device information of the data transmission device. Optionally, when generating the platform certificate according to the module information of the security enhancement module and the device information of the data transmission device, the module information of the security enhancement module and the device information of the data transmission device are further encrypted to obtain the platform in ciphertext form Certificate.

Among them, in the above-mentioned first application scenario, the cloud platform parses the device registration request, obtains the module information of the security enhancement module contained in it and the device information of the data transmission device, and uses the platform certificate key (such as key A) to verify the security The module information of the enhancement module and the device information of the data transmission device are encrypted, and the platform certificate is obtained according to the encrypted result. In order to improve encryption execution efficiency, the encryption operation may be a symmetric encryption operation. For example, an AES encryption algorithm may be used. It can be seen that the plaintext of the platform certificate includes the module information of the security enhancement module and the device information of the data transmission device, and the security in the transmission process can be improved through the encryption operation.

In the above-mentioned second application scenario, the cloud platform parses the device registration request, obtains the device information of the data transmission device contained therein, and allocates a corresponding security enhancement module according to the type of the data transmission device. Through the platform certificate key (such as key A), perform an encryption operation on the allocated module information of the security enhancement module and the device information of the data transmission device, and obtain the platform certificate according to the encryption result. In this manner, the security enhancement module is allocated by the cloud platform according to the device information in the device registration request.

Optionally, when there are multiple types of data transmission equipment, different types of security enhancement modules can be set for each type of data transmission equipment. Correspondingly, the cloud platform selects the The security enhancement module that matches the device type of the current device is assigned.

Step S3: The cloud platform provides the platform certificate to the security enhancement module.

In this step, the cloud platform can provide the platform certificate to the security enhancement module through the data transmission device, or directly provide the platform certificate to the security enhancement module. Correspondingly, the security enhancement module receives and stores the platform certificate generated by the cloud platform in response to the device registration request. For example, in the first application scenario above, the cloud platform sends the platform certificate to the data transmission device, and the data transmission device provides the platform certificate and the platform certificate key to the security enhancement module. In the above second application scenario, the cloud platform directly provides the platform certificate and the platform certificate key to the security enhancement module. Among them, in the former method, the platform certificate stored in the security enhancement module is added dynamically, so that different data transmission devices can be dynamically adapted, and the flexibility is improved. In the latter method, the platform certificate and platform certificate key can be directly burned in the security enhancement module, thereby further improving security.

In addition, no matter which method is adopted, the cloud platform needs to record the corresponding relationship between the module information of the security enhancement module and the device information of the data transmission device, so as to further improve the security in the subsequent authentication process by means of the corresponding relationship, and prevent the Security risks caused by malicious replacement of data transmission equipment or security enhancement modules.

Step S4: the data transmission device sends an authentication instruction to the security enhancement module.

Wherein, the data transmission device actively initiates a device authentication operation, so as to send an authentication instruction to the security enhancement module.

Step S5: In response to the authentication instruction, the security enhancement module adds auxiliary verification data to the platform certificate to obtain the module certificate.

In response to the authentication instruction sent by the data transmission device, the security enhancement module adds auxiliary verification data to the stored platform certificate to obtain the module certificate. Among them, the auxiliary verification data includes various additional data that can realize the auxiliary verification function, such as time stamp data, device fingerprint data, and the like.

Optionally, in order to improve security, the platform certificate generated by the cloud platform is a platform certificate in ciphertext form. First, the security enhancement module decrypts the platform certificate in ciphertext form according to the platform certificate key (such as key A) provided by the cloud platform to obtain the platform certificate in plaintext form. Wherein, when the platform certificate is obtained by symmetric encryption, the key of the platform certificate used for decryption is the same as the key of the platform certificate when encrypted by the cloud platform, so that decryption can be realized at a relatively fast speed. Of course, in other application scenarios with higher security, it can also be implemented through asymmetric encryption and decryption.

Then, add auxiliary verification data to the platform certificate in plain text to obtain a module certificate in plain text. For example, the security enhancement module obtains the internal system time, generates time stamp data according to the internal system time, adds the time stamp data to the platform certificate, and obtains the module certificate. This process is essentially equivalent to the certificate reorganization process. Through certificate reorganization, the security can be further improved with the help of auxiliary verification data. For example, if the timestamp data is tampered with, it means that the certificate has been attacked during transmission.

Finally, the module certificate in plain text is encrypted by the module certificate key to obtain the module certificate in cipher text. In an optional implementation manner, the platform certificate in ciphertext is obtained through symmetric encryption; the module certificate in ciphertext is obtained through asymmetric encryption; and the key of the module certificate is obtained from the cloud platform. Wherein, since the module certificate in ciphertext form is obtained through an asymmetric encryption method, the transmission security of the module certificate can be improved.

Among them, the module certificate key can be obtained in various ways. For example, in an implementation manner, the security enhancement module sends a communication request (also called a module certificate key acquisition request) to the cloud platform through the data transmission device. The cloud platform produces the module certificate private key b and the module certificate public key B according to the received communication request, wherein the module certificate private key b is stored in the cloud platform, and the module certificate public key B is forwarded to the security enhancement module through the data transmission device. Wherein, the module certificate public key B is the module certificate key. It can be seen that asymmetric encryption and decryption are realized with the help of the module certificate private key b and the module certificate public key B.

In addition, it should be noted that in this embodiment, the security enhancement module is pluggably connected to the data transmission device through a preset interface, and the security enhancement module uses a preset transmission protocol corresponding to the preset interface (that is, the first A transmission protocol) communicates with the data transmission device; wherein, the preset interface includes a USB interface, and the preset transmission protocol includes a USB protocol. In addition, the data transmission device communicates with the cloud platform through a platform transmission protocol, such as MQTT protocol communication. Among them, MQTT (Message Queuing Telemetry Transport) is a non-encrypted protocol based on TCP. It is a message protocol based on the publish/subscribe paradigm under the ISO standard (ISO/IEC PRF 20922). It works in the TCP/IP protocol family Above, it is a publish/subscribe message protocol designed for remote devices with low hardware performance and poor network conditions. For this purpose, a message middleware is needed. MQTT is a client-server based message publish/subscribe transport protocol. The MQTT protocol is lightweight, simple, open, and easy to implement. These characteristics make it applicable to a wide range of applications. In many cases, including constrained environments such as machine-to-machine (M2M) communication and the Internet of Things (IoT). Among them, communication sensors via satellite links, occasional dial-up medical devices, smart homes, and some miniaturized devices have been widely used.

Correspondingly, the data transmission device needs to perform a protocol conversion operation. After performing protocol conversion on the data received from the security enhancement module through the first transmission protocol, it is sent to the cloud platform through the second transmission protocol; After protocol conversion, the data from the cloud platform is sent to the security enhancement module through the first transmission protocol. Therefore, in this step, the data transmission device needs to perform protocol conversion on the communication request from the security enhancement module, so that it is converted from the USB protocol to the MQTT protocol, and then transmitted to the cloud platform. Moreover, after receiving the module certificate public key B sent by the cloud platform through the MQTT protocol, the protocol conversion is performed and sent to the security enhancement module through the USB protocol.

Step S6: The security enhancement module sends the module certificate to the cloud platform for the cloud platform to perform device authentication.

Wherein, the security enhancement module first sends the module certificate to the data transmission device, and the data transmission device sends the module certificate to the cloud platform for device authentication. Correspondingly, the data transmission device sends the received module certificate from the security enhancement module to the cloud platform for the cloud platform to perform device authentication.

In one implementation, the security enhancement module sends the module certificate in ciphertext to the data transmission device through the USB protocol, and the data transmission device sends the module certificate in ciphertext to the cloud platform through the MQTT protocol.

Step S7: The cloud platform receives the module certificate sent by the security enhancement module through the data transmission device, analyzes the module certificate, and performs device authentication according to the analysis result.

Optionally, when the module certificate is in ciphertext form, the cloud platform decrypts the received module certificate in ciphertext form to obtain the module certificate in plaintext form; and matches the module certificate in plaintext form with the pre-generated platform certificate; If the matching is successful, the device authentication is passed. Among them, the module certificate in ciphertext form can be asymmetrically decrypted through the module certificate private key b mentioned above.

Wherein, the module certificate in plain text includes: the auxiliary verification data and the platform certificate in plain text obtained by parsing the security enhancement module. Under normal circumstances, the module information of the security enhancement module and the device information of the data transmission device contained in the plaintext platform certificate obtained by the security enhancement module analysis are consistent with the relevant information in the platform certificate pre-generated by the cloud platform. Therefore, if the module certificate in plain text matches the pre-generated platform certificate successfully, the device authentication passes; if the match fails, the device authentication fails.

In one example, the cloud extracts effective information from the decrypted module certificate plaintext, for example, extracts the ID identification of the security enhancement module, that is, the unique internal ID of the security enhancement module is used as the only trusted root of the data transmission device on the cloud platform. Correspondingly, during the comparison process, the cloud platform compares the internal unique ID of the security enhancement module extracted by the platform with the root of trust stored in the cloud. If the comparison is successful, the authentication is successful, otherwise the authentication fails. The cloud platform transmits the authentication result in plain text to the data transmission device through the MQTT protocol, and the data transmission device transmits the authentication result to the security module through the USB protocol. In this example, the cloud platform only compares the module information of the security enhancement module, and as long as the module information of the security enhancement module matches successfully, the authentication is successful.

In order to improve security, in other examples, the cloud platform not only compares the module information of the security enhancement module, but also compares the device information of the data transmission device. Only when the combination of the module information of the security enhancement module and the device information of the data transmission device The authentication succeeds only when the relationship is consistent with the pre-stored content on the cloud platform. In this method, the authentication is performed through the combined relationship of the module information of the security enhancement module and the device information of the data transmission device. As long as any device in the data transmission device or the security enhancement module Changes can result in authentication failures, which improves security.

Step S8: The cloud platform feeds back the authentication result to the data transmission device.

Step S9: When the device authentication is passed, the data transmission device sends the original transmission data to the security enhancement module.

This step includes at least the following two situations:

In the first case, the cloud platform sends the encrypted first transmission data to the data transmission device, and correspondingly, the data transmission device provides the encrypted first transmission data to the security enhancement module. That is, the original transmission data is: the first transmission data sent by the cloud platform to the data transmission device.

In the second case, the data transmission device needs to send the unencrypted original transmission data to the cloud platform. In order to improve security, the unencrypted original transmission data is first sent to the security enhancement module for encryption processing, and the obtained The second transmits data. The second transmission data is sent by the security enhancement module to the data transmission device, and then sent to the cloud platform by the data transmission device. Correspondingly, the cloud platform receives the second transmission data sent by the data transmission device and encrypted by the security enhancement module with the security key.

Step S10: the data transmission device sends a key negotiation request to the cloud platform.

Wherein, this step may also be executed before step S9, and the present invention does not limit the execution timing of this step. In addition, this step can also be performed multiple times during the subsequent data transmission process, that is, to obtain a key negotiation request from the cloud platform every preset period of time to replace the security key and improve security. Wherein, the specific execution timing and execution frequency of this step can be flexibly set according to business scenarios.

Optionally, the sending frequency of the key agreement request is determined according to the device service type and/or device authentication type contained in the device information of the aforementioned data transmission device. For example, if it is determined according to the device service type and/or device authentication type that the security level of the device is high, it is necessary to increase the sending frequency of the key agreement request; otherwise, reduce the sending frequency of the key agreement request. In a word, the sending frequency of the key agreement request is determined according to the device service type and/or device authentication type, which can flexibly adapt to various service scenarios.

Step S11: The cloud platform sends the generated security key to the security enhancement module through the data transmission device in response to the key agreement request.

Wherein, the cloud platform acquires device information corresponding to the key negotiation request, generates a security key according to the device information, and sends the generated security key to the security enhancement module. Wherein, the device information includes the above-mentioned device business type and/or device authentication type. Correspondingly, the data transmission device provides the security enhancement module with the security key from the cloud platform according to the result returned by the cloud platform.

In an implementation manner, when the device authentication type is the first authentication type (such as one-confidential-one-secret type), the security key corresponds to the device identifier. This type needs to generate a key for each device, and because the device is unique, it has higher security.

When the device authentication type is the second authentication type (eg, one-type-one-secret type), the security key corresponds to the device model. This type needs to generate a key for each device model, and since the same model may contain multiple devices, the security is slightly lower than the security key of the first authentication type.

When the device authentication type is the third authentication type (such as the unified key type), the security key corresponds to the device service type. This type can generate a unified security key for all devices, so the security is the lowest. For example, the same security key can be generated for data transmission devices of the same service type.

Wherein, the type of device authentication and the way of generating the security key depend on factors such as the type of data in the business scenario, which is not limited in the present disclosure.

It can be seen that the sending frequency of the key agreement request in this disclosure (that is, the replacement frequency of the security key) and the generation method of the security key can be flexibly adjusted according to actual business needs, so it can fully meet various data transmission services security needs.

Optionally, in order to further improve security and avoid security issues caused by malicious interception of the security key during transmission, in one implementation, the cloud platform encrypts the generated security key with the platform private key , to obtain the first key; and send the first key to the security enhancement module through the data transmission device. Wherein, the data transmission device sends the first key obtained after the cloud platform encrypts the security key with the platform private key to the security enhancement module. Correspondingly, the security enhancement module receives the first key obtained after the cloud platform encrypts the security key with the platform private key; decrypts the first key with the pre-acquired platform public key to obtain the security key. Among them, both the platform public key and the platform private key are generated by the cloud platform, and the cloud platform provides the platform public key to the security enhancement module in advance, and the generation method of the platform public key and the platform private key can be flexibly set, for example, the platform public key The key can be the same as the module certificate public key B mentioned above, and the platform private key can be the same as the module certificate private key b mentioned above. In addition, the security key is asymmetrically encrypted with the platform private key to obtain the first key (that is, the security key in ciphertext form). Asymmetric decryption is performed on the first key through the platform public key to obtain a security key. Asymmetric encryption and decryption can improve security.

Wherein, the security key is sent to the data transmission device through the MQTT protocol, and the data transmission device performs protocol conversion and sends it to the security enhancement module through the USB protocol.

Step S12: The security enhancement module determines the security key corresponding to the original transmission data, and performs encryption and decryption processing on the original transmission data through the security key to obtain the security transmission data.

Wherein, the security key is obtained through the key agreement operation in the above steps. In addition, the security enhancement module further determines the data type of the original transmission data, and determines the security key and the encryption and decryption method according to the data type; through the security key and the encryption and decryption method, the original transmission data is encrypted and decrypted. Wherein, the data type includes at least one of the following: plaintext type, ciphertext type, sending type, receiving type, transmission data type, and security verification type; and, the security key includes at least one of the following: symmetric key , non-key key, key obtained from the cloud platform, locally generated key, encryption key, decryption key, fixed key, and variable key; encryption and decryption methods include: symmetric encryption, Symmetric decryption, asymmetric encryption, asymmetric decryption. For example, when the original transmission data is the encrypted first transmission data sent by the cloud platform to the data transmission device, that is, the data type is cipher text type and is the receiving type, the decryption operation is performed; when the original transmission data is the data transmission device to be When sending data to the cloud platform, that is, the data type is plain text and the sending type, the encryption operation is performed.

In the first case mentioned above, the original transmission data is: the first transmission data sent by the cloud platform to the data transmission device. Correspondingly, the security enhancement module decrypts the first transmission data by using the security key.

In the second case mentioned above, the original transmission data is the unencrypted original transmission data to be sent to the cloud platform by the data transmission device. Correspondingly, the security enhancement module encrypts the original transmission data through the security key.

In addition, the security key can be obtained in the following ways:

The security key returned by the cloud platform in response to the key agreement request sent by the data transmission device is received. Wherein, the cloud platform first sends the security key to the data transmission device, and then the data transmission device sends it to the security enhancement module.

Optionally, in order to improve security, the cloud platform first encrypts the security key with the platform private key to obtain the first key. Correspondingly, the security key is obtained in the following way: receiving the first key obtained after the cloud platform encrypts the security key with the platform private key; decrypting the first key with the platform public key obtained in advance to obtain the security key. key.

Step S13: the security enhancement module sends the security transmission data to the data transmission device.

Wherein, the security enhancement module can send the security transmission data to the data transmission device through the USB protocol. Correspondingly, the data transmission device receives the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data.

In the first case mentioned above, the original transmission data is the first transmission data sent by the cloud platform to the data transmission device, therefore, the data transmission device processes the decrypted first transmission data. In the second case mentioned above, the data transmission device performs protocol conversion processing for the secure transmission data, so as to send it to the cloud platform through the MQTT protocol.

It can be seen that, in this embodiment, the data transmission device needs to perform corresponding protocol conversion processing according to the data type: if the original transmission data is the data received by the data transmission device from the cloud platform, then the data transmission device uses the platform transmission protocol ( For example, the original transmission data received by the MQTT protocol performs protocol conversion processing (conversion into the USB protocol), and sends the original transmission data after the protocol conversion processing to the security enhancement module. If the original transmission data is the local data of the data transmission device, the data transmission device performs protocol conversion processing on the secure transmission data received through the preset transmission protocol (such as the USB protocol), and converts the secure transmission data (converted MQTT protocol) to the cloud platform.

In this embodiment, since the transmission protocol adopted between the data transmission device and the cloud platform is different from the transmission protocol adopted between the data transmission device and the security enhancement module, the data transmission device needs to execute the protocol on the received or to-be-sent data. Conversion processing. In addition, by using different transmission protocols between different devices, it is possible to avoid network attacks between devices and improve security.

In summary, this embodiment mainly includes the device registration process (steps S1, S2, S3), device authentication process (steps S4, S5, S6, S7, S8), key agreement process (steps S10, S11) and data interaction Transmission process (steps S9, S12, S13). Among them, the device registration process and the device authentication process are mainly used to verify the identity of the device. Therefore, the key negotiation process and data interactive transmission can only be performed after the device registration process and the device authentication process are completed. In addition, the key agreement process and the data interactive transmission may be executed sequentially or alternately. Wherein, both the key agreement process and the data interactive transmission process can be performed multiple times. Through multiple key negotiations, the security key can be dynamically changed, thereby improving security.

For ease of understanding, each process is described in detail below:

1. Device registration: the device side (that is, the data transmission device) registers on the IOT platform and generates a certificate

The device registration process is mainly implemented by the cloud platform, which specifically includes the following steps:

Step 1. Device registration: The user is required to provide device number, device type and other information. Wherein, the device number may be the unique ID of the security enhancement module, that is, the registration of the device is completed through the unique ID of the security enhancement module. The device number is backed up in the cloud. Device types include gateways, lighting, cameras, etc. This solution does not limit the device types.

Step 2. Select the authentication type: including one machine one secret, one type one secret, and unified key. One machine one secret is used for key generation for a single device, one type one secret is for a certain type of device to generate a key, and the unified key is used for key generation for all devices. This scheme does not limit the authentication type. The key generated in this step is recorded as the authentication key (that is, the platform certificate key and/or module certificate key mentioned above).

Step 3: Platform certificate encryption: The plaintext of the platform certificate consists of device number, device type, and authentication type. For platform certificate encryption, key A and symmetric encryption are used, such as AES encryption algorithm, to generate platform certificate ciphertext.

2. Equipment certification

Device authentication refers to the trusted access of devices to the cloud platform. The overall authentication process includes multiple steps. The following describes the security enhancement module side, device side, and cloud respectively.

1. Security enhancement module side:

Store the generated platform certificate ciphertext in the security enhancement module in advance, and correspondingly, the security enhancement module side specifically performs the following steps:

Step 1: Receive an authentication instruction initiated by the device.

The security enhancement module uses key A and symmetric decryption to decrypt the ciphertext of the platform certificate to generate the plaintext of the platform certificate. Key A is the same as the key used by the cloud platform to encrypt the plaintext of the platform certificate.

Step 2. Certificate reorganization: Obtain the system time from inside the security enhancement module, and generate the plaintext of the module certificate by adding a time stamp to the plaintext of the generated platform certificate.

Step 3: Generation of module certificate ciphertext: Encrypt the plaintext of the module certificate produced in step 2, using public key B and asymmetric encryption. The acquisition process of the public key B is as follows: first, the security enhancement module sends a communication request, and performs protocol conversion through the device side, converting the USB protocol into the MQTT protocol. The cloud receives the communication request, produces the private key b and the public key B, stores the private key b in the cloud, sends the public key B to the device through the MQTT protocol, and converts the device into a USB protocol and sends it to the security module.

2. Device side:

The device side is used to send the module certificate ciphertext: the module certificate ciphertext produced by the security enhancement module is transmitted to the device side through the USB protocol, and the device side transmits the module certificate ciphertext to the cloud through the MQTT protocol.

3. Cloud:

The cloud certification process specifically includes the following steps:

Step 1. Decryption of module certificate ciphertext: the cloud decrypts the module certificate ciphertext through private key b and asymmetric decryption.

Step 2. Platform certificate extraction: The cloud extracts effective information from the decrypted module certificate plaintext. In this solution, the unique internal ID of the security enhancement module is extracted, that is, the unique internal ID of the security enhancement module is the only trusted root of the device in the cloud.

Step 3. Platform comparison: compare the internal unique ID of the security module extracted by the platform with the root of trust stored in the cloud. If the results are compared, the authentication is successful, otherwise the authentication fails.

Step 4: The authentication result is transmitted to the device through the MQTT protocol in plain text, and the device transmits the authentication result to the security module through the USB protocol.

3. Key negotiation

The key agreement process specifically includes the following steps:

Step 1: The cloud platform asymmetrically encrypts the key C through the platform private key to generate the key C ciphertext.

Step 2, the key C ciphertext is transmitted to the data transmission device through the MQTT protocol for protocol conversion, and the MQTT protocol is converted into a USB protocol. The data transmission device transmits the key C ciphertext to the security enhancement module through the USB protocol.

Step 3: The security enhancement module decrypts the key C ciphertext in an asymmetric decryption manner through the platform public key to obtain the key C plaintext. The plaintext of the key C is the security key determined through key negotiation.

4. Data interactive transmission

First, the process of uploading data in the process of data interactive transmission is introduced, which specifically includes the following steps:

Step 1: The data transmission device transmits the uploaded data in clear text to the security enhancement module through the USB protocol.

Step 2: The security enhancement module encrypts the plaintext of the uploaded data by using the key C and a symmetric encryption method to generate a ciphertext of the uploaded data.

Step 3: The security enhancement module transmits the uploaded data ciphertext to the data transmission device through the USB protocol, and the data transmission device converts the USB protocol into the MQTT protocol through protocol conversion, and transmits the uploaded data ciphertext to the cloud platform.

Step 4: The cloud platform decrypts the ciphertext of the uploaded data through the key C and the symmetric decryption method to obtain the plaintext of the uploaded data.

Next, the data delivery process in the data interactive transmission process is introduced, which specifically includes the following steps:

Step 1. The cloud platform encrypts the plaintext of the delivered data through the key C and symmetric encryption, produces the ciphertext of the delivered data, and transmits it to the data transmission device in the form of the MQTT protocol.

Step 2: The data transmission device converts the MQTT protocol into a USB protocol through protocol conversion, and transmits the data ciphertext to the security enhancement module.

Step 3: The security enhancement module decrypts the ciphertext of the delivered data by using the key C and the symmetric decryption method to obtain the plaintext of the delivered data.

Step 4: The security enhancement module transmits the delivered data in plain text to the data transmission device through the USB protocol.

It can be seen that, from the perspective of security, this embodiment can customize different security enhancement modules in combination with specific scenarios, and through the customized solution of security enhancement modules, it can be linked with edge devices and terminal devices to achieve system-level security enhancement. This disclosure protects the security of the device to the greatest extent by adding a security enhancement module to the device, through the security enhancement module, device authentication, and platform-side device authentication and the establishment of a security data interaction method. The security enhancement module performs data interaction with the device side through the USB interface, so as to be compatible with current existing devices. In addition, a secure data interaction mechanism between the security module, the device, and the cloud platform is built through the security module and the device-side security SDK.

Among them, the security enhancement module has at least the following characteristics:

Trusted storage for sensitive data such as keys and certificates, and cannot be sent externally through the USB interface. Moreover, sensitive data is stored inside the security enhancement module in an encrypted manner, and even if the security enhancement module is cracked, the plaintext information of the encrypted data stored inside cannot be directly obtained. For example, the security key stored inside the security enhancement module is stored in ciphertext through a secondary encryption process.

In addition, the sensitive data stored inside the security enhancement module will not be sent out. Sensitive data such as certificates can be written through customized host computer software, and can only be written but not read. Moreover, the encryption and decryption processes are all completed inside the security enhancement module, which avoids vulnerable defects caused by encryption and decryption in external devices.

The security enhancement module can dynamically execute the key negotiation operation through the data transmission device and the cloud platform, and the frequency of the key negotiation can be flexibly adjusted according to the device type and authentication method. In addition, the security key obtained through key negotiation can be generated in different ways in combination with device types and authentication methods, so that the generation method of the security key can be determined according to the data security level, and security can be further improved.

The key in the authentication process and the key in the data transmission process can be flexibly set according to the data type. For example, the cloud platform dynamically determines the key matching the data type according to the type of data to be transmitted. That is: the type of key and the way of encryption and decryption can be flexibly set according to the data type and the interaction process. For example, different encryption and decryption methods can be selected for different interaction processes, such as using symmetric keys for platform certificates and asymmetric keys for module certificates, so that keys and encryption and decryption methods can be set according to the interaction process and data security level.

In addition, in the application scenario of the present disclosure, the security module is provided by the cloud platform of the Internet of Things, so it is a trusted device, and the data transmission device is an external device independent of the cloud platform, so it is an untrusted device. In order to avoid security problems caused by attacks on untrusted devices, all sensitive data and encryption and decryption processes are implemented by the security enhancement module.

Moreover, in order to further improve security, a software development kit SDK is provided for the security enhancement module. Correspondingly, the data transmission device only needs to integrate the SDK to communicate with the security enhancement module and the cloud platform. That is: data transmission is performed between the security enhancement module and the data transmission device through a preset application program interface; and the application program interface is provided by a software development kit corresponding to the security enhancement module. It can be seen that, in this embodiment, when data is transmitted between the data transmission device and the security enhancement module, the application program interface API function provided by the SDK must be called to realize it. For example, when the data transmission device sends data to the security enhancement module, it needs to call the implementation of the sending API that matches the type of data sent; when the data transmission device receives the data returned by the security enhancement module, it needs to call The matching receiver class API implementation. Since the parameters and execution logic of each application program interface function included in the SDK are pre-defined, it is possible to avoid writing the execution logic related to accessing sensitive data into the interface function during the process of setting the SDK, thereby avoiding sensitive The problem of data being accessed maliciously.

An embodiment of the present disclosure also provides a data transmission device, which may be the security enhancement module mentioned above. As shown in Figure 5, a data transmission device provided by an embodiment of the present disclosure includes:

The receiving module 51 is configured to receive the original transmission data sent by the data transmission device;

The encryption and decryption module 52 is configured to determine a security key corresponding to the original transmission data, and perform encryption and decryption processing on the original transmission data through the security key to obtain secure transmission data;

The sending module 53 is configured to send the secure transmission data to the data transmission device; wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform, and the security key is obtained from The cloud platform obtains.

In an optional implementation manner, the apparatus further includes: a module certificate generation module configured to receive and store the platform certificate generated by the cloud platform in response to the device registration request; Instructions, add auxiliary verification data to the platform certificate, obtain a module certificate, and send the module certificate to the data transmission device, so that the data transmission device provides the module certificate to the cloud platform for device authentication; and, the receiving module 51 is configured to: receive the original transmission data sent by the data transmission device when the device passes the authentication.

In an optional implementation manner, the device registration request is sent by the data transmission device, and the device registration request includes: module information of the security enhancement module and device information of the data transmission device ; and the platform certificate includes: the module information of the security enhancement module and the device information of the data transmission device.

In an optional implementation manner, the auxiliary verification data includes: time stamp data; and, the device information of the data transmission device includes: a device service type and/or a device authentication type;

Then the encryption and decryption module is configured to: receive the security key returned by the cloud platform in response to the key negotiation request sent by the data transmission device; wherein the security key is based on the device service type and /or device authentication type generation.

In an optional implementation manner, the encryption and decryption module is specifically configured as:

In an optional implementation manner, when the device authentication type is the first authentication type, the security key corresponds to the device identifier; when the device authentication type is the second authentication type, the security key corresponds to the device ID corresponding to the model; when the device authentication type is the third authentication type, the security key corresponds to the device service type.

In an optional implementation, the platform certificate generated by the cloud platform is a platform certificate in ciphertext form; then the module certificate generation module is specifically configured as:

In an optional implementation manner, the platform certificate in ciphertext form is obtained through symmetric encryption; the module certificate in ciphertext form is obtained through asymmetric encryption; and the module certificate key is obtained from the Cloud platform acquisition.

In an optional implementation manner, the data type includes at least one of the following: plaintext type, ciphertext type, sending type, receiving type, transmission data type, and security verification type;

The encryption and decryption methods include: a symmetric encryption method, a symmetric decryption method, an asymmetric encryption method, and an asymmetric decryption method.

An embodiment of the present disclosure also provides a data transmission device, which may be the data transmission device mentioned above. As shown in Figure 6, a data transmission device provided by an embodiment of the present disclosure includes:

The sending module 61 is configured to send the original transmission data to the security enhancement module;

The receiving module 62 is configured to receive the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data;

In an optional implementation, the device further includes:

The registration module 63 is configured to send a device registration request to the cloud platform, so that the security enhancement module receives and stores the platform certificate generated by the cloud platform in response to the device registration request;

The authentication module 64 is configured to send an authentication instruction to the security enhancement module, so that the security enhancement module can add auxiliary verification data to the platform certificate to obtain the module certificate;

Then the receiving module 62 is further configured to: send the received module certificate from the security enhancement module to the cloud platform for the cloud platform to perform device authentication;

Moreover, the sending module 61 is specifically configured to: send the original transmission data to the security enhancement module when the device is authenticated.

In an optional implementation manner, the device registration request includes: module information of the security enhancement module and device information of the data transmission device; and the platform certificate includes: information of the security enhancement module Module information and device information of the data transmission device;

In an optional implementation, the device further includes:

A key agreement module configured to send a key agreement request to the cloud platform;

In an optional implementation manner, the key agreement module is specifically configured as:

In an optional implementation manner, if the original transmission data is data received by the data transmission device from the cloud platform, the sending module is specifically configured to: Perform protocol conversion processing on the data, and send the original transmission data after the protocol conversion processing to the security enhancement module;

If the original transmission data is the local data of the data transmission device, the receiving module is further configured to: perform protocol conversion processing on the secure transmission data received through the preset transmission protocol, and convert the secure transmission data after protocol conversion into sent to the cloud platform.

The embodiment of the present disclosure also provides a cloud platform. As shown in Figure 7, the cloud platform provided by an embodiment of the present disclosure includes:

The key sending module 71 is configured to send the generated security key to the security enhancement module;

The first transmission module 72 is configured to send the encrypted first transmission data to the data transmission device, so that the data transmission device provides the first transmission data to the security enhancement module, so that the security enhancement module according to said security key performs a decryption process; and/or,

The second transmission module 73 is configured to receive the second transmission data sent by the data transmission device and encrypted by the security enhancement module with the security key.

In an optional implementation, the cloud platform also includes:

The platform certificate generation module is configured to generate a platform certificate according to the received device registration request, and provide the platform certificate to the security enhancement module;

Moreover, the second transmission module is further configured to: receive the module certificate sent by the security enhancement module through the data transmission device; analyze the module certificate, and perform device authentication according to the result of the analysis.

In an optional implementation manner, the platform certificate generation module is specifically configured as:

The second transmission module is specifically configured to: decrypt the received module certificate in ciphertext to obtain a module certificate in plaintext; match the module certificate in plaintext with the pre-generated platform certificate; if matched If successful, the device authentication is passed.

In an optional implementation manner, the key sending module is specifically configured to: respond to the key negotiation request sent by the data transmission device, and acquire device information corresponding to the key negotiation request; according to The device information generates a security key, and sends the generated security key to the security enhancement module; wherein, the device information includes: device service type and/or device authentication type.

In an optional implementation manner, the key sending module is specifically configured to: encrypt the security key with a platform private key to obtain a first key; pass the first key through the The data transmission device sends it to the security enhancement module, so that the security enhancement module decrypts the first key by using the pre-acquired platform public key to obtain the security key.

The embodiment of the present disclosure also provides a data transmission system. As shown in Figure 8, a data transmission system provided by an embodiment of the present disclosure includes:

The first data transmission device 81 , the second data transmission device 82 and the cloud platform 83 . Wherein, the first data transmission device 81 may be the security enhancement module shown in FIG. 5 , the second data transmission device 82 may be the data transmission device shown in FIG. 6 , and the structure of the cloud platform 83 may be shown in FIG. 7 .

Referring to FIG. 9, an embodiment of the present disclosure provides an electronic device, which includes:

one or more processors 901;

Memory 902, on which one or more programs are stored, and when one or more programs are executed by one or more processors, one or more processors implement any one of the data transmission methods described above;

One or more I/O interfaces 903 are connected between the processor and the memory, and are configured to realize information exchange between the processor and the memory.

Wherein, the processor 901 is a device with data processing capability, which includes but not limited to a central processing unit (CPU), etc.; the memory 902 is a device with data storage capability, which includes but not limited to a random access memory (RAM, more specifically Such as SDRAM, DDR, etc.), read-only memory (ROM), electrified erasable programmable read-only memory (EEPROM), flash memory (FLASH); I/O interface (read-write interface) 903 is connected between processor 901 and memory 902 , can realize information interaction between the processor 901 and the memory 902, which includes but not limited to a data bus (Bus) and the like.

In some embodiments, the processor 901, the memory 902 and the I/O interface 903 are connected to each other through a bus, and further connected to other components of the computing device.

This embodiment also provides a computer-readable medium, on which a computer program is stored. When the program is executed by a processor, the data transmission method provided by this embodiment is implemented. In order to avoid repeated descriptions, details of the data transmission method will not be repeated here. step.

Those of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, the functional modules/units in the system, and the device can be implemented as software, firmware, hardware, and an appropriate combination thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components. Components cooperate to execute. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit . Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. permanent, removable and non-removable media. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, tape, magnetic disk storage or other magnetic storage, or may be used Any other medium that stores desired information and can be accessed by a computer. In addition, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element.

It can be understood that the above embodiments are only exemplary embodiments adopted to illustrate the principles of the present disclosure/utility model, but the present disclosure/utility model is not limited thereto. For those skilled in the art, various modifications and improvements can be made without departing from the spirit and essence of the disclosure/utility model, and these variations and improvements are also considered protection of the disclosure/utility model scope.

Claims

A data transmission method applied to a security enhancement module, comprising:

Receive the original transmission data sent by the data transmission device;

determining a security key corresponding to the original transmission data, and performing encryption and decryption processing on the original transmission data through the security key to obtain secure transmission data;

sending the secure transmission data to the data transmission device;

Wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform, and the security key is obtained from the cloud platform.
The method according to claim 1, wherein, before receiving the original transmission data sent by the data transmission device, further comprising:

Receive and store the platform certificate generated by the cloud platform in response to the device registration request;

In response to the authentication instruction sent by the data transmission device, add auxiliary verification data to the platform certificate to obtain a module certificate, and send the module certificate to the data transmission device for the data transmission device to use the The module certificate is provided to the cloud platform for device authentication;

Moreover, the receiving the original transmission data sent by the data transmission device specifically includes: receiving the original transmission data sent by the data transmission device when the device is authenticated.
The method according to claim 2, wherein the device registration request is sent by the data transmission device, and the device registration request includes: the module information of the security enhancement module and the device information of the data transmission device information; and the platform certificate includes: module information of the security enhancement module and device information of the data transmission device.
The method according to claim 3, wherein the auxiliary verification data includes: time stamp data; and, the device information of the data transmission device includes: device service type and/or device authentication type;

Then the determining the security key corresponding to the data type of the original transmission data includes: receiving the security key returned by the cloud platform in response to the key negotiation request sent by the data transmission device; wherein, the The security key is generated according to the device service type and/or device authentication type.
The method according to claim 4, wherein the receiving the security key returned by the cloud platform in response to the key negotiation request sent by the data transmission device comprises:

receiving the first key obtained after the cloud platform encrypts the security key with the platform private key; and decrypting the first key with the pre-acquired platform public key to obtain the security key.
The method according to claim 5, wherein, when the device authentication type is the first authentication type, the security key corresponds to the device identification; when the device authentication type is the second authentication type, the security key corresponds to the The device model corresponds; when the device authentication type is the third authentication type, the security key corresponds to the device service type.
The method according to any one of claims 2-6, wherein the platform certificate generated by the cloud platform is a platform certificate in ciphertext form; then adding auxiliary verification data to the platform certificate to obtain the module certificate includes:

Decrypting the platform certificate in ciphertext form according to the platform certificate key provided by the cloud platform to obtain the platform certificate in plaintext form;

Adding auxiliary verification data to the platform certificate in plain text to obtain a module certificate in plain text;

The module certificate in plain text form is encrypted by the module certificate key to obtain the module certificate in cipher text form.
The method according to claim 7, wherein the platform certificate in ciphertext form is obtained through symmetric encryption; the module certificate in ciphertext form is obtained through asymmetric encryption; and the key of the module certificate is obtained from the Obtain the above cloud platform.
The method according to any one of claims 1-6, wherein said determining a security key corresponding to said original transmission data, and using said security key to perform encryption and decryption processing on said original transmission data comprises:

Determine the data type of the original transmission data, determine the security key and the encryption and decryption method according to the data type;

Encryption and decryption are performed on the original transmission data through the security key and the encryption and decryption methods.
The method according to claim 9, wherein the data type includes at least one of the following: plaintext type, ciphertext type, sending type, receiving type, transmission data type, and security verification type;

Moreover, the security key includes at least one of the following: a symmetric key, a non-key key, a key obtained from a cloud platform, a locally generated key, an encryption key, a decryption key, a fixed keys, and variable keys;

The encryption and decryption methods include: a symmetric encryption method, a symmetric decryption method, an asymmetric encryption method, and an asymmetric decryption method.
The method according to any one of claims 1-6, wherein the security enhancement module is pluggably connected to the data transmission device through a preset interface, and the security enhancement module is connected to the preset interface through the The corresponding preset transmission protocol communicates with the data transmission device; wherein, the preset interface includes a USB interface.
The method according to any one of claims 1-6, wherein the data transmission is performed between the security enhancement module and the data transmission device through a preset application program interface; and, the application program interface is provided by the corresponding A software development kit for the security enhancement modules described above is provided.
A data transmission method applied to a data transmission device, comprising:

Send the original transmission data to the security enhancement module;

receiving the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data;

Wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform, and the security key is obtained from the cloud platform.
The method according to claim 13, wherein, before sending the original transmission data to the security enhancement module, further comprising:

Sending a device registration request to the cloud platform, so that the security enhancement module receives and stores the platform certificate generated by the cloud platform in response to the device registration request;

Sending an authentication instruction to the security enhancement module for the security enhancement module to add auxiliary verification data to the platform certificate to obtain a module certificate;

Send the received module certificate from the security enhancement module to the cloud platform for the cloud platform to perform device authentication;

Moreover, the sending the original transmission data to the security enhancement module specifically includes: sending the original transmission data to the security enhancement module when the device is authenticated.
The method according to claim 14, wherein the device registration request includes: the module information of the security enhancement module and the device information of the data transmission device; and the platform certificate includes: the security enhancement module module information and device information of the data transmission device;

Moreover, the auxiliary verification data includes: timestamp data; the device information of the data transmission device includes: device service type and/or device authentication type; then the security key corresponding to the original transmission data is determined by The cloud platform is generated according to the device service type and/or device authentication type;

Wherein, when the device authentication type is the first authentication type, the security key corresponds to the device identification; when the device authentication type is the second authentication type, the security key corresponds to the device model; when the device When the authentication type is the third authentication type, the security key corresponds to the service type of the device.
The method according to any one of claims 13-15, wherein, before receiving the security enhancement module according to the security key corresponding to the original transmission data, further comprising:

Send a key negotiation request to the cloud platform;

According to the result returned by the cloud platform, provide the security enhancement module with a security key from the cloud platform; wherein, the security key is generated according to the device service type and/or device authentication type.
The method according to claim 16, wherein said providing the security key from the cloud platform to the security enhancement module comprises:

Send the first key obtained after the cloud platform encrypts the security key with the platform private key to the security enhancement module, so that the security enhancement module can encrypt the security key with the platform public key obtained in advance. The first key is decrypted to obtain the security key.
The method according to any one of claims 13-15, wherein, if the original transmission data is the data received by the data transmission device from the cloud platform, then sending the original transmission data to the security enhancement module includes: for Perform protocol conversion processing on the original transmission data received through the platform transmission protocol, and send the original transmission data after the protocol conversion processing to the security enhancement module;

If the original transmission data is the local data of the data transmission device, after receiving the security enhancement module according to the security key corresponding to the original transmission data, after performing encryption and decryption processing to obtain the secure transmission data, further include : Perform protocol conversion processing on the secure transmission data received through the preset transmission protocol, and send the secure transmission data after the protocol conversion processing to the cloud platform.
A data transmission method applied to a cloud platform, comprising:

Send the generated security key to the security enhancement module;

Sending encrypted first transmission data to a data transmission device, so that the data transmission device provides the first transmission data to a security enhancement module, so that the security enhancement module performs decryption processing according to the security key; and / or,

receiving the second transmission data encrypted by the security enhancement module through the security key and sent by the data transmission device.
The method according to claim 19, wherein said method further comprises:

Generate a platform certificate according to the received device registration request, and provide the platform certificate to the security enhancement module;

receiving the module certificate sent by the security enhancement module through the data transmission device;

Analyzing the module certificate, and performing device authentication according to the parsing result.
The method according to claim 20, wherein said generating a platform certificate according to the received device registration request comprises:

Obtain the module information of the security enhancement module and the device information of the data transmission device contained in the device registration request, and generate the platform certificate according to the module information of the security enhancement module and the device information of the data transmission device .
The method according to claim 21, wherein the generating the platform certificate according to the module information of the security enhancement module and the device information of the data transmission device comprises:

Encrypting the module information of the security enhancement module and the device information of the data transmission device to obtain a platform certificate in ciphertext form;

The parsing of the module certificate, and performing device authentication according to the parsing result include:

Decrypt the received module certificate in ciphertext form to obtain the module certificate in plaintext form;

Matching the module certificate in plain text form with the pre-generated platform certificate; if the matching is successful, the device authentication is passed.
The method according to any one of claims 19-22, wherein said sending the generated security key to the security enhancement module comprises:

In response to the key agreement request sent by the data transmission device, acquire device information corresponding to the key agreement request;

Generate a security key according to the device information, and send the generated security key to the security enhancement module; wherein, the device information includes: device service type and/or device authentication type.
The method according to claim 23, wherein said sending the generated security key to the security enhancement module comprises:

Encrypting the security key with a platform private key to obtain a first key;

sending the first key to the security enhancement module through the data transmission device, so that the security enhancement module can decrypt the first key through the pre-acquired platform public key to obtain the security key.
A data transmission device, comprising:

a receiving module configured to receive the original transmission data sent by the data transmission device;

The encryption and decryption module is configured to determine a security key corresponding to the original transmission data, and perform encryption and decryption processing on the original transmission data through the security key to obtain secure transmission data;

a sending module configured to send the secure transmission data to the data transmission device;

Wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform, and the security key is obtained from the cloud platform.
A data transmission device, comprising:

a sending module configured to send the original transmission data to the security enhancement module;

The receiving module is configured to receive the secure transmission data obtained after the security enhancement module performs encryption and decryption processing according to the security key corresponding to the original transmission data;

Wherein, the original transmission data is used for transmission between the data transmission device and the cloud platform, and the security key is obtained from the cloud platform.
A cloud platform comprising:

A key sending module configured to send the generated security key to the security enhancement module;

The first transmission module is configured to send the encrypted first transmission data to the data transmission device, so that the data transmission device provides the first transmission data to the security enhancement module, so that the security enhancement module according to the perform the decryption process using the above security key; and/or,

The second transmission module is configured to receive the second transmission data sent by the data transmission device and encrypted by the security enhancement module with the security key.
A data transmission system comprising:

The data transmission device of claim 25, the data transmission device of claim 26, and the cloud platform of claim 27.
An electronic device comprising:

one or more processors;

A memory, on which one or more programs are stored, when said one or more programs are executed by said one or more processors, said one or more processors implement claims 1-12, claim The method described in any one of 13-18 or 19-24;

One or more I/O interfaces are connected between the processor and the memory, configured to realize information exchange between the processor and the memory.
A computer-readable medium on which a computer program is stored, and when the program is executed by a processor, the method according to any one of claims 1-12, 13-18 or 19-24 is implemented.